CVE-2026-40498
Undergoing Analysis Undergoing Analysis - In Progress
Unauthenticated Access and DoS via Exposed MD5 Hash in FreeScout

Publication date: 2026-04-21

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY, which is exposed in the response and logs. Accessing these endpoints reveals sensitive server information (Full Path Disclosure), process IDs, and allows for Resource Exhaustion (DoS) by triggering heavy background tasks repeatedly without any rate limiting. The cron hash is generated using md5(APP_KEY . 'web_cron_hash'). Since this hash is often transmitted via GET requests, it is susceptible to exposure in server logs, browser history, and proxy logs. Furthermore, the lack of rate limiting on these endpoints allows for automated resource exhaustion (DoS) and brute-force attempts. Version 1.8.213 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40498
EUVD
EUVD-2026-24137
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.213 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive server information, including full internal file paths, PHP configurations, and diagnostic data, which constitutes information disclosure.

Exposure of such sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Additionally, the lack of authentication and rate limiting enables unauthorized access to administrative tools and potential denial of service attacks, undermining system integrity and availability requirements often mandated by these standards.

Therefore, this vulnerability compromises confidentiality, integrity, and availability aspects critical to compliance with common security and privacy regulations.

Executive Summary

CVE-2026-40498 affects FreeScout versions prior to 1.8.213 and involves an authentication bypass and information disclosure vulnerability in the SystemController, specifically via the /system/cron endpoint.

The vulnerability arises because several sensitive administrative routes, including /system/cron/{hash}, /system/status, and /system/tools, have authentication middleware disabled, allowing unauthenticated attackers to access them.

The /system/cron endpoint uses a static MD5 hash generated from the APP_KEY concatenated with 'web_cron_hash' as an access control mechanism. However, this hash is exposed in HTTP responses and server logs, making it easily discoverable.

Since the hash is often transmitted via GET requests, it can be leaked through browser history, proxy logs, or server logs.

The lack of authentication enforcement combined with no rate limiting enables attackers to repeatedly trigger resource-intensive background cron tasks, leading to potential Denial of Service (DoS) through resource exhaustion.

Proof of concept includes scripts and manual verification showing unauthorized access to sensitive system information such as full internal file paths, PHP configurations, directory permissions, and Artisan command logs.

Attackers can also perform brute-force attacks against the /system/cron/{hash} endpoint due to the absence of rate limiting or IP blocking, potentially discovering the valid cron hash and gaining full access to administrative cron functions and sensitive internal data.

Impact Analysis

This vulnerability can have several serious impacts:

  • Information Disclosure: Exposure of internal server paths, configurations, and diagnostic data that should be restricted to administrators.
  • Broken Access Control: Unauthorized access to admin-only tools and status pages.
  • Denial of Service (DoS): Attackers can repeatedly trigger heavy cron jobs without any rate limiting, causing resource exhaustion and potentially making the server unavailable.
  • Full Path Disclosure: Revealing full internal file paths can facilitate further attacks such as Local File Inclusion (LFI).
Detection Guidance

This vulnerability can be detected by attempting unauthenticated access to sensitive administrative endpoints such as /system/cron/{hash}, /system/status, and /system/tools. If these endpoints are accessible without authentication, the system is vulnerable.

A proof of concept includes using a Python script or manual HTTP requests to access these endpoints and check for exposure of sensitive information like full internal file paths, PHP configurations, directory permissions, and Artisan command logs.

Manual verification can also be done by opening an incognito browser session and navigating to these endpoints to see if detailed server diagnostics are revealed.

  • Use curl or wget commands to access the endpoints without authentication, for example: curl http://yourserver/system/cron/<hash>
  • Check server logs and proxy logs for exposure of the static MD5 hash used in the /system/cron endpoint, as it is often transmitted via GET requests.
  • Attempt brute-force attacks against the /system/cron/{hash} endpoint using common wordlists (e.g., RockYou) to see if the hash can be discovered due to lack of rate limiting.
Mitigation Strategies

Immediate mitigation steps include enforcing authentication on all sensitive routes by removing exceptions for /system/status and /system/tools from the authentication middleware.

Restrict access to the /system/cron endpoint to authorized IP addresses, such as localhost, to prevent unauthorized external access.

Disable detailed command output in HTTP responses for cron tasks to avoid leaking sensitive information.

Implement rate limiting on these endpoints to prevent brute-force attacks and resource exhaustion (Denial of Service) caused by repeated triggering of heavy background tasks.

Upgrade FreeScout to version 1.8.213 or later, which includes fixes such as replacing the weak MD5 hash with a more secure HMAC-SHA512 hash and improving response handling to reduce information leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40498. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart